Archives

Web Application Scanning (Tenable)

""  Overview and Key Features:

The web application scanning service helps identify security vulnerabilities in internally managed web applications using the Tenable platform.

Vulnerability scanning is required for all organizational systems by the university’s Information Security Control Standard (control RA-2), which states that scanning must occur “periodically and when new vulnerabilities affecting those systems and applications are identified”.

This service is available to faculty and staff who manage web applications. Examples include WordPress websites, Pepper applications and commercial applications such as REDCap. It is not intended for student use or for third-party hosted services.

When to request a scan:

  • Before go-live of a new web application
  • After significant changes to an existing application

Note: Production scans are strongly discouraged unless there is no alternative, as they may cause disruption.

""   Getting Started:

Submit a request via the Enterprise Service Centre (ServiceNow).

  • The request form will require you to provide the application details (e.g. URL, hosting environment, criticality level).
  • The Risk Management team will schedule and execute the scan based on priority and availability.
  • Once completed, a report will be attached to your Enterprise Service Centre ticket with scan findings and recommendations.

Requestor requirements

  • Must be the service or application owner or have written approval
  • Must have authority to approve scans and implement mitigations

""   Get Help:

For troubleshooting, inquiries or scan-related support, please use one of the following options:

 

Weblogin

"" Overview and Key Features:

Weblogin is the web single sign-on service, which is used by hundreds of University service providers to provide authentication via UTORid/password. It also provides ‘coarse-grained’ authorization attributes such as affiliation and email address, which can be used by services to create and maintain local accounts and restrict access. Weblogin uses Shibboleth as the underlying technology.

  • Federated access

The University’s Weblogin service is integrated with the Canadian Access Federation, a Canada-wide service that provides access to Canadian and worldwide services, including:

  • Weblogin access integration with other Canadian higher-ed services.
  • University of Toronto services access via other Canadian institution access systems.
  • Integration with eduGAIN, a service that extends the Canadian higher-ed federated capability to educational institutions in the United States and across the world.

""  Getting Started:

Access the Weblogin service

  • Users:

For information on using federated login services, visit the CANARIE website or contact Information Security.

  • Technical staff:

To implement Weblogin, refer to “Installing and configuring Shibboleth”, and “SAML attributes available from Weblogin”.

""   Get Help:

For Weblogin issues, contact your local help desk.

Vulnerability Management Service (VMS)

"" Overview and Key Features:

Vulnerability management is the process of identifying, evaluating, treating and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside other security tactics, is vital for organizations to prioritize potential risks and minimize their attack surface.

Security vulnerabilities refer to technological weaknesses that allow malicious actors to compromise a product and the information it holds. This process needs to be performed continuously to keep up with new systems being added to networks, changes that are made to systems and the discovery of new vulnerabilities over time.

""  Getting Started:

The cost for the VMS is being incurred by Information Security and will be provided as a complimentary service to all tri-campus units. The vulnerability scan results are restricted to a need-to-know basis.

If you are authorized, the vulnerability scan results associated with your unit can be accessed through the Vulnerability Reporting Portal by logging in with your UTORid.

If you are a network or server administrator and do not have access to the vulnerability scan results for systems you manage, contact us at security.admin@utoronto.ca.

""   Get Help:

For information about use of Tenable at the University of Toronto, refer to the Tenable.IO University Training Guide. Additionally, you can find free Tenable tutorials on the Tenable website.

TLS Certificates

"" Overview and Key Features:

Transport Layer Security (TLS) certificates, formerly known as Secure Sockets Layer (SSL) certificates, are digital certificates that keep your internet connection safe by encrypting the data between your web browser, the website and its server.

The TLS service provides a cost advantage over purchasing it direct from a commercial certificate authority. Other benefits include:

  • The site validation process for the utoronto.ca or toronto.edu domains is completed.
  • There is no cost charged back to the individual department or division for most certificate products.
  • Notification of imminent certificate expiry is provided at least two weeks before the expiry date.
  • Information Security adds a departmental contact vetting process to ensure authorization to use server certificates.
  • Automatic certificate renewal (ACME) is available for this service.

""  Getting Started:

Information Security, part of ITS, facilitates the purchase of Sectigo TLS certificate products for University server administrators. To order certificates, you use the Sectigo Certificate Manager.

To order a new TLS certificate, refer to the ordering a TLS certificate article in ESC.

To set up automatic renewal for an existing TLS certificate, refer to the using ACME automatic renewal article in ESC.

""   Get Help:

For support, submit a request via the Enterprise Service Centre (ESC).

Tabletops as a Service (ImmersiveLabs)

"" Overview and Key Features:

We provide a tool for incident response training to help you prepare your staff for various information-security incidents. The Immersive Labs Crisis Sim platform is designed to enhance your team’s strategic decision-making skills in different types of security incidents.

""  Getting Started:

Facilitators should request access in ESC.

Participants don’t need to register. You’ll receive a link when you’re invited to an exercise.

Usage Guide.

""   Get Help:

Vendor support: Immersive Labs help center (logged-in users only)

Internal support: Email security@utoronto.ca to create an ESC ticket.

Security Awareness and Training (SAT)

"" Overview and Key Features:

Security Awareness and Training (SAT) service is designed to equip staff, librarians and faculty with the knowledge, practices and technologies needed to protect themselves and the University from cyber threats.

This service is institutionally funded and comes at no cost to units.

  • Essential security and privacy modules: Engaging, short and interactive training modules to provide baseline knowledge in security and privacy
  • Monthly Phishing Simulations: Realistic phishing exercises to test users’ ability to identify and report malicious emails
  • Delegated access to units: Units get delegated access to the SAT platform and can onboard their users at their own pace

""  Getting Started:

This service is offered to all staff, librarians and faculty through their unit administrators. Any unit can join the service by submitting a SAT service unit onboarding request.

Once onboarded into the Security Awareness and Training (SAT) service, users receive initial onboarding training, followed by quarterly refresher modules. For more information, refer to the SAT user onboarding workflow article.

For details on the delineation of responsibilities between the unit and the institutional service team, please refer to the SAT service roles and responsibilities (RACI) chart document.

""   Get Help:

To request support, as an end user: Please contact your local administrator.

To request support, as a unit administrator: Please submit a SAT service support request.

For any other questions or feedback: security.training@utoronto.ca

Risk Guidance and General Inquiries

"" Overview and Key Features:

The Information Risk team is available to provide guidance and answer general inquiries about information security risk management. This service can help to enable units and divisions to manage their exposure to risks and make risk-informed decisions.

""  Getting Started:

To access this service, please submit a ESC ticket.

""   Get Help:

All questions about risk are welcome. If you have a question or you’re unsure whether something is an information security risk, please reach out to Kanupriya Kejriwal, Manager, Risk Management at kanupriya.kejriwal@utoronto.ca.

Research Cyber Security Training

"" Overview and Key Features:

Research cyber security training aims to:

  • Equip research teams with cyber security best practices
  • Offer discipline- and solution-specific training
  • Address cyber security questions related to research, roles and solutions
  • Fulfill training requirements for specific applications and agreements

Through researcher-focused cyber security training, teams will gain a general understanding of how to better secure their research projects. Training is delivered synchronously, either virtually or in person.

""  Getting Started:

Connect with the Research Information Security Program team via Enterprise Service Centre (ESC) to safeguard research knowledge, intellectual property and data.

""   Get Help:

Contact the Research Information Security Program team: research.infosec@utoronto.ca.

Research Cyber Security and Risk Documentation

"" Overview and Key Features:

Research cyber security and risk mitigation plans aim to:
  • Document the security measures in place for an information system, and/or
  • Outline how cyber security safeguards are implemented to mitigate risks associated with a research project.

As a result of these research cyber security and risk mitigation plans, researchers will receive the necessary security documentation for certain funding applications and research agreements. Document generation will be carried out in collaboration with the research team, as well as relevant technical and security staff.

""  Getting Started:

  • Types of Documentation:

A cyber security plan aims to document, at a high level, the information security controls, practices and procedures in place for a research project and its associated information systems and solutions.

A cyber risk mitigation plan outlines the cyber security-related mitigations that have been or will be implemented to address various risks related to a research project (e.g., sharing data with external collaborators).

Connect with the Research Information Security Program team via Enterprise Service Centre ESC to safeguard research knowledge, intellectual property and data.

""   Get Help:

Contact the Research Information Security Program team: research.infosec@utoronto.ca.

Research Cyber Risk Assessments

"" Overview and Key Features:

A Research Cyber Security, Threat and Risk Assessment (R-CSTRA) aims to:

  • Identify potential security risks, threats and gaps related to your research project.
  • Recommend services and methods to enhance the security of your research project.
  • Evaluate your project’s alignment with the U of T’s Information Security Control Standard and other relevant requirements.

Through an R-CSTRA, researchers will gain a clearer understanding of their project’s security posture and the cyber threats and risks that could impact their intellectual property. Assessments are conducted in collaboration with the research team and relevant technical and security staff to ensure a comprehensive and tailored approach.

""  Getting Started:

Assessment types:

  • Basic

A basic R-CSTRA provides a high-level review of a research project and the information systems and solutions that interact with research data (e.g., collection, generation, processing, storage) to identify potential threats and risks. This assessment is designed for low-risk projects that involve level 1, level 2 or lower-risk level 3 data, with minimal regulatory or security requirements.

  • Advanced

An advanced R-CSTRA involves a comprehensive review of a research project and all associated information systems and solutions that interact with research data. This assessment evaluates potential threats and risks and includes an in-depth analysis of information systems and solutions against the university’s Information Security Control Standard. It is intended for medium- and high-risk projects that involve higher-risk level 3 and level 4 data or require a robust data governance structure and adherence to significant regulatory requirements.

Connect with the Research Information Security Program team via Enterprise Service Centre to safeguard research knowledge, intellectual property and data.

""   Get Help:

Contact the Research Information Security Program team: research.infosec@utoronto.ca.